Re: [PATCH] x86/coredump: always use user_regs_struct for compat_elf_gregset_t

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 12/09/2016 02:14 AM, Andy Lutomirski wrote:
On Nov 23, 2016 10:16 AM, "Dmitry Safonov" <dsafonov@xxxxxxxxxxxxx> wrote:

From commit 90954e7b9407 ("x86/coredump: Use pr_reg size, rather that
TIF_IA32 flag") elf coredump file is constructed according to register
set size - and that's good: if binary crashes with 32-bit code selector,
generate 32-bit ELF core, otherwise - 64-bit core.
That was made for restoring 32-bit applications on x86_64: we want
32-bit application after restore to generate 32-bit ELF dump on crash.
All was quite good and recently I started reworking 32-bit applications
dumping part of CRIU: now it has two parasites (32 and 64) for seizing
compat/native tasks, after rework it'll have one parasite, working in
64-bit mode, to which 32-bit prologue long-jumps during infection.

And while it has worked for my work machine, in VM with
!CONFIG_X86_X32_ABI during reworking I faced that segfault in 32-bit
binary, that has long-jumped to 64-bit mode results in dereference
of garbage:

Can you point to the actual line that's crashing?  I'm wondering if we
have code that should be made more robust.

Hi Andy,

Here it is:

> static int fill_thread_core_info(struct elf_thread_core_info *t,
> 				 const struct user_regset_view *view,
> 				 long signr, size_t *total)
> {
> 	unsigned int i;
> 	unsigned int regset_size = view->regsets[0].n * view->regsets[0].size;

For now the regset_size is 64-bit registers set's size if 32-bit ELF
crashed with 64-bit CS.

>
> 	/*
> 	 * NT_PRSTATUS is the one special case, because the regset data
> 	 * goes into the pr_reg field inside the note contents, rather
> 	 * than being the whole note contents.  We fill the reset in here.
> 	 * We assume that regset 0 is NT_PRSTATUS.
> 	 */
> 	fill_prstatus(&t->prstatus, t->task, signr);
> 	(void) view->regsets[0].get(t->task, &view->regsets[0], 0, regset_size,
> 				    &t->prstatus.pr_reg, NULL);

And here is writing to elf_thread_core_info::prstatus::pr_reg,
prstatus member is typed compat_elf_prstatus as binfmt_elf
interpreter that was used to load the program is from
fs/compat_binfmt_elf.c:
> #define elf_prstatus	compat_elf_prstatus
> #define elf_prpsinfo	compat_elf_prpsinfo

So, we're overwriting elf_thread_core_info structure's content by
writing bigger regset than it can hold.
(.get() method is genregs_get() from arch/x86/kernel/ptrace.c)

The crash happens afterwards, when we're trying to dereference some
fields of elf_thread_core_info - for me it was as you can see in
writenote():
  [<ffffffff811d6929>] ? writenote+0x19/0xa0
  [<ffffffff811d9479>] elf_core_dump+0x11a9/0x1480
  [<ffffffff811dc70b>] do_coredump+0xa6b/0xe60
  [<ffffffff81065820>] ? signal_wake_up_state+0x20/0x30
  [<ffffffff81065941>] ? complete_signal+0xf1/0x1f0
  [<ffffffff810679e8>] get_signal+0x1a8/0x5c0
  [<ffffffff8101b1a3>] do_signal+0x23/0x660

In my point of view 64-bit regset is generated rightly - otherwise
I couldn't see x86_64 registers in gdb for that kind of crashes.
So, I fixed it as simple as possible - by having one size for
compat_elf_gregset_t independent of CONFIG_X86_X32_ABI option.

--
             Dmitry

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@xxxxxxxxx.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>



[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Bugtraq]     [Linux OMAP]     [Linux MIPS]     [eCos]     [Asterisk Internet PBX]     [Linux API]